CN108055122B - Verifiable memory leak prevention dynamic searchable encryption method and cloud server - Google Patents

Verifiable memory leak prevention dynamic searchable encryption method and cloud server Download PDF

Info

Publication number
CN108055122B
CN108055122B CN201711146556.1A CN201711146556A CN108055122B CN 108055122 B CN108055122 B CN 108055122B CN 201711146556 A CN201711146556 A CN 201711146556A CN 108055122 B CN108055122 B CN 108055122B
Authority
CN
China
Prior art keywords
data owner
key
vht
node
search
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711146556.1A
Other languages
Chinese (zh)
Other versions
CN108055122A (en
Inventor
陈晓峰
管文浩
王剑锋
王贇玲
袁浩然
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201711146556.1A priority Critical patent/CN108055122B/en
Publication of CN108055122A publication Critical patent/CN108055122A/en
Application granted granted Critical
Publication of CN108055122B publication Critical patent/CN108055122B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

The invention belongs to the technical field of cloud computing, and discloses a verifiable dynamic searchable encryption method for preventing memory leakage and a cloud server, which comprise the following steps: the data owner is used for establishing an index and an encrypted file set, outsourcing the index and the encrypted file set to the cloud server, submitting the key word trapdoor to search related files to the cloud server, and verifying returned search results; the data owner can also update the encrypted file set; and the cloud server is used for storing the encrypted file set and the index, searching on the index according to the trapdoor, returning corresponding results and evidence, and updating the corresponding evidence according to the updating operation of the data owner. The invention provides a first dynamic symmetric searchable encryption scheme which simultaneously realizes memory information leakage prevention and verification, and ensures the security of a secret key and the correctness and integrity of a search result; the problem of unstable generation of the physical unclonable function key is solved, and a more reliable key generation mechanism is established.

Description

Verifiable memory leak prevention dynamic searchable encryption method and cloud server
Technical Field
The invention belongs to the technical field of cloud computing, and particularly relates to a verifiable dynamic searchable encryption method for preventing memory leakage and a cloud server.
Background
In the information age, more and more resources are gathered on the internet. In order to efficiently manage and utilize internet resources, cloud computing appears as a scalable and high-throughput computing paradigm in the line of sight of people. Cloud computing can provide powerful data storage capabilities, and more individuals and companies are willing to outsource data to cloud servers. The cloud outsourced storage service can reduce the huge local data management overhead of the data owner. However, outsourcing of data also inevitably raises some data security and privacy concerns. Therefore, data owners usually outsource encrypted data, but this raises the problem of how to perform keyword retrieval on the ciphertext. To address this dilemma, prior art Searchable Encryption (SE) allows clients to outsource filesets to cloud servers in the form of ciphertext while still maintaining the ability for keyword retrieval. The searchable encryption may be classified into a Symmetric Searchable Encryption (SSE) and a public key encryption with keyword search (PEKS) according to an encryption algorithm used. Compared to SSE, prior art PEKS can implement richer query functionality, but are less efficient at processing large amounts of data than SSE. Due to the large amount of data processed in a cloud environment, SSEs are better suited for building cloud computing applications than PEKS. The security of SSE includes two aspects: first, indexing and searching trapdoors may reveal some sensitive information that should not be exposed to the cloud server; secondly, a malicious server may return incorrect search results for reasons of interest. A secure SSE scheme should have a secure index and trapdoor structure, and in the face of a malicious server, the client has the ability to verify the correctness and integrity of the search results. Many researches on the construction of a secure SSE scheme exist, but at present, some fast and effective physical attacks, such as side channel attacks, exist, and secret information stored in a nonvolatile memory by a user can be easily acquired, so that indexes and trapdoors in most existing SSE schemes are no longer secure. The only dynamic SSE scheme for preventing memory Leakage in the prior art is proposed by Dai [ Dai S, Li H, Zhang F. memory leak-resilient semiconductor Encryption [ J ]. Future Generation Computer Systems,2016,62:76-84], and the scheme resists memory attacks by replacing long-term information stored in a nonvolatile memory with Physically Unclonable Functions (PUFs); however, this solution assumes that the cloud server is honest and curious, that is, the case of a malicious server is not considered, and the client does not have the capability of verifying the search result.
In summary, the problems of the prior art are as follows: the existing symmetric searchable encryption method cannot resist memory attack and malicious servers at the same time, and is specifically represented in the following two aspects: firstly, existing verifiable symmetric searchable encryption methods for malicious servers simply assume that keys are stored in a nonvolatile memory, and once an attacker acquires the keys in the memory by using a side channel attack and other methods, the verifiable symmetric searchable encryption methods are invalid in verification; secondly, the existing symmetric searchable encryption method for resisting the memory attack cannot verify the search result.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a verifiable dynamic searchable encryption method for preventing memory leakage and a cloud server.
The invention is realized in such a way, the verifiable memory leak prevention dynamic searchable encryption method constructs sharing by combining a physical unclonable function and a secret sharing technology, recovers a secret key by sharing when the secret key is used, and does not store any secret information in a nonvolatile memory, thereby achieving the purpose of resisting memory attack; a binary tree VHT combining the characteristics of a Merkle hash tree and a binary search tree is used for constructing a safe index, and the update of a file set is the update of nodes on the VHT; performing MAC calculation on the hash value and the counter of the VHT root node, returning a search path and an MAC value on the index to a data owner as evidence, recalculating the VHT root node value by the data owner through the search path, performing MAC calculation on the VHT root node value and the locally stored counter, comparing the calculated value with the returned MAC, and if the calculated value is the same as the MAC value, passing the verification, otherwise failing the verification; the cloud server needs to sign the locally stored counter to ensure the validity of the counter.
Wherein each node N on the VHT is a tuple (nkey, v, c)l,cr,hN) Where nkey represents the key of node N, v represents the value of node N, clAnd crRespectively representing the left and right children of node N, hNA hash value representing node N, defined as
Figure BDA0001472589470000031
The keys of the node N are larger than the keys of all the nodes on the left subtree and smaller than the keys of all the nodes on the right subtree.
Further, the verifiable memory leak prevention dynamic searchable encryption method uses an anti-collision hash function
Figure BDA0001472589470000032
And
Figure BDA0001472589470000033
PCPA-secure symmetric encryption algorithm E1= (Enc1, Dec1) and E2(Enc2, Dec2), wherein
Figure BDA0001472589470000034
Figure BDA0001472589470000035
Pseudo-random permutation
Figure BDA0001472589470000036
Message authentication code
Figure BDA0001472589470000037
And a secure signature scheme SIGN, such as BLS short signature, where d represents the number of keys contained in the dictionary.
Further, the verifiable memory leak prevention dynamic searchable encryption method comprises the following six algorithms:
KeyGen(1λ) Inputting a security variable lambda to generate a secret key K; the data owner randomly selects t (n)1,d1,m1) PUF, an n1Bit string s and a secret a0
Figure BDA0001472589470000038
Given text set
Figure BDA0001472589470000039
Set of keywords
Figure BDA00014725894700000310
The public parameter PP and the secret key K, the data owner runs the probability algorithm to generate the encrypted file set
Figure BDA00014725894700000311
Search index
Figure BDA00014725894700000312
And a client state σ;
TrapGen (w, K, PP) given a query key w ∈ Δ, Δ is a dictionary containing all possible keys, and the data owner runs the algorithm to generate a trapdoor of w;
Figure BDA00014725894700000313
Index
Figure BDA00014725894700000314
when receiving the trapdoor TKwWhen the cloud server is used, matching the trapdoors on the indexes;
verifying the validity of the search result by a data owner running a verification algorithm; when the evidence tau passes the verification, the data owner accepts the search result R (w), otherwise, the search result R (w) is rejected;
update (op, K, PP): op ═ { upd, c, W '} represents an Update operation, where upd represents an Update type, c represents an updated file, and W' represents an updated key set; according to the op, the data owner performs different update operations.
Further, the KeyGen (1)λ) Each physical unclonable function is:
Figure BDA0001472589470000041
and (3) calculating:
ri=PUFi(s),(zi,hdi)←FE.Gen(ri),i∈[1,t];
wherein FE ═ is (fe.gen, fe.rep) is one (n)1,d1,m1) BlurringAn extractor; the data owner selects a value greater than a at the same time0And t, constructing a prime number p in a finite field
Figure BDA0001472589470000042
The k-1 degree polynomial f (x):
f(x)=a0+a1x+…+ak-2xk-2+ak-1xk-1modp;
wherein a is1,…,ak-1Is an integer uniformly and randomly selected from [0, p); the data owner calculates the share:
Figure BDA0001472589470000043
output common parameter PP ═ f1,…,ft,hd1,…,hdtS, p and key K ═ PUF1,…,PUFt}。
Further, the
Figure BDA00014725894700000421
The data owner randomly selects K physically unclonable functions from K.
Figure BDA0001472589470000044
Representing a randomly selected physically unclonable function, where ti∈[1,t](ii) a For all i e [1, k ∈ ]]And calculating:
Figure BDA0001472589470000045
in connection with corresponding sharing
Figure BDA0001472589470000046
Recovering the polynomial f (x) and calculating a0F (0). Structure index
Figure BDA00014725894700000423
For each keyword
Figure BDA00014725894700000422
j∈[1,m]Data owner establishment
Figure BDA0001472589470000047
And
Figure BDA0001472589470000048
wherein
Figure BDA0001472589470000049
Representing a set of files
Figure BDA00014725894700000410
Contains a keyword wjThe set of identifiers of (a) is,
Figure BDA00014725894700000411
represents a keyword wjThe lexical order of (c); will be provided with
Figure BDA00014725894700000412
Converted into a character string V with length of one bitwL is more than n; for i e [1, l ∈ ]]And if and only if
Figure BDA00014725894700000413
When the temperature of the water is higher than the set temperature,
Figure BDA00014725894700000414
at the same time, the data owner calculates:
Figure BDA00014725894700000415
establishing a verifiable hash table VHT for j e [1, m]Each node on VHT
Figure BDA00014725894700000416
Is a tuple
Figure BDA00014725894700000417
Wherein
Figure BDA00014725894700000418
Is a key of the series of keys,
Figure BDA00014725894700000419
is a value, clAnd crRepresenting nodes
Figure BDA00014725894700000420
Left and right child nodes; the hash value of a node is defined as:
Figure BDA0001472589470000051
by using hrootRepresenting a hash value of the VHT root node. The data owner sets the counter T to 1 and calculates:
Figure BDA0001472589470000052
is provided with
Figure BDA00014725894700000515
Establishing an encrypted fileset
Figure BDA00014725894700000516
For each DBi,i∈[1,n]The data owner calculates:
K3=H1(a0‖id(DBi)‖1),
Figure BDA0001472589470000053
K4=H1(a0‖id(DBi)‖2),
Figure BDA0001472589470000054
Figure BDA0001472589470000055
setting ciOwned and DBiThe same identifier is used for the identification of the same,
Figure BDA00014725894700000517
the data owner sends T and the user tag ID to the cloud server, which computes a signature δ ═ SIGN (T | ID) and returns to the data owner. Finally, the algorithm outputs
Figure BDA0001472589470000056
Figure BDA0001472589470000057
And σ ═ T, δ. Data owner outsourcing
Figure BDA0001472589470000058
And
Figure BDA0001472589470000059
and (5) giving the cloud server, and locally storing sigma.
Further, in TrapGen (w, K, PP), the data owner needs to recover a0And calculating:
Figure BDA00014725894700000510
Figure BDA00014725894700000511
TK by data ownerwAnd sending the data to the cloud server.
Further, the
Figure BDA00014725894700000512
In the method, the cloud server is in the index
Figure BDA00014725894700000513
Upper search key equals TKwIf such a node N ' is found, r (w) ← (N ', N '); otherwise, the key is set to be larger than TKwMinimum of the nodes of (1) is NbigWith a bond less than TKwMaximum of the nodes of (1) is Nsmall,R(w)←(Nbig,Nsmall) (ii) a The search path is marked as evidence tau and returned to the data owner r (w) and tau.
Further, in Verify (r (w), τ, K, PP, σ), the data owner recovers a from the key K0And checking:
Figure BDA00014725894700000514
if the two equations are true, the data owner receives R (w) and continues the next verification, otherwise, outputs T;
if the accepted R (w) is the same node composition, the data owner calculates:
Figure BDA0001472589470000061
and will VwSending the data to a cloud server; cloud Server according to VwReturning the corresponding ciphertext set
Figure BDA0001472589470000062
For each ciphertext file
Figure BDA0001472589470000063
Data owner review
Figure BDA0001472589470000064
Wherein K4=H1(a0‖id(DBi) II 2); the equality holds, the data owner outputs
Figure BDA0001472589470000065
Otherwise, outputting T;
r (w) accepted is composed of two different nodes
Figure BDA0001472589470000066
And outputs #.
Further, the Update (op, K, PP) performs, according to op, the data owner:
modifying: op ═ { modify, ciW' }, the owner of the data wants to be ciModified to ci′For each keyword wje.W', the data owner generates the corresponding trapdoor
Figure BDA0001472589470000067
And obtains a search result R (w)j);R(wj) Pass authentication
Figure BDA0001472589470000068
Data owner from R (w)j) Middle recovery
Figure BDA0001472589470000069
And is provided with
Figure BDA00014725894700000610
Encryption
Figure BDA00014725894700000611
Is composed of
Figure BDA00014725894700000612
To replace
Figure BDA00014725894700000613
Each keyword wjAfter all the nodes are updated, setting T ← T +1 and calculating a new root node hash value hroot′And
Figure BDA00014725894700000614
sending (c)i′,hroot′Beta', T, ID) and
Figure BDA00014725894700000615
sending the data to a cloud server; cloud service setting hroot←hroot′,β←β′,ci←ci′By using
Figure BDA00014725894700000616
Updating VHT unionCalculating δ' ═ SIGN (T | ID); the cloud server sends δ ' to the data owner, and if δ ' is valid, the data owner sets δ ← δ ';
and (3) deleting: op ═ { delete, ciW' }, mixing ciModified to the character delete and for each wj∈W′,
Figure BDA00014725894700000617
Adding: op ═ { add, c ═ cn+1W' }, the data owner adds a new file cn+1For each new keyword wje.W', the data owner generates the corresponding trapdoor
Figure BDA00014725894700000618
Obtaining search result R (w)j) And verify
Figure BDA00014725894700000619
Data owner creates a child node on the last node of a search path
Figure BDA00014725894700000620
Each keyword wjAfter all the nodes are updated, setting T ← T +1 and calculating a new root node hash value hroot′And
Figure BDA00014725894700000621
sending (c)n+1,hroot′Beta', T, ID) and
Figure BDA00014725894700000622
sending the data to a cloud server; cloud service setting hroot←hroot′β ← β', insertion cn+1By using
Figure BDA00014725894700000623
Update VHT and calculate δ' ═ SIGN (T | ID); the cloud server sends δ ' to the data owner, which sets δ ← δ ' if δ ' is valid.
The invention further aims to provide a cloud server applying the verifiable memory leak prevention dynamic searchable encryption method.
The invention is based on a physical unclonable function and a verifiable hash table VHT, and is the first symmetrical searchable encryption scheme which can simultaneously realize the resistance to memory attack and the verifiability of search results. In order to realize resistance to memory attacks, the invention does not store any secret information in the nonvolatile memory, but utilizes the output of the physical unclonable function to generate the key in real time. Since the physical unclonable function can only be realized by a physical system and is unclonable, the memory attacker can not obtain any secret information. Meanwhile, the physical unclonable function is combined with the secret sharing technology, so that the problem of instability of the key of the physical unclonable function is solved, and even if some physical unclonable functions are damaged, the key can be recovered through the rest physical unclonable functions; in order to realize that the search result can be verified, the invention utilizes the verifiable hash table to construct a safe index. If the server maliciously tampers with the search result, the integrity of the verifiable hash table is destroyed, so that the root node hash value calculated by the search path cannot be verified. Meanwhile, the hash value of the root node is bound with a counter, so that replay attack is prevented.
Compared with Dai's searchable encryption scheme for preventing memory leak [ DaiS, LiH, Zhang F. memory leak-reselientSearcharchablemesymmetricEncryption [ J ]. future Generation computer Systems,2016,62:76-84], the present invention increases verifiability of search results, improves security, and also reduces space complexity (as shown in Table 1). In table 1, d represents the number of keywords included in the dictionary, and m represents the number of keywords included in the outsourced document set.
TABLE 1 protocol comparison
Figure BDA0001472589470000071
Drawings
Fig. 1 is a flowchart of a verifiable memory leak prevention dynamic searchable encryption method according to an embodiment of the present invention.
Fig. 2 is a lookup representation provided by an embodiment of the invention.
FIG. 3 is a diagram illustrating index setup times (key number 4000) for the same number of keys according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of index setup time (file number 4000) when the number of files is the same according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of search times (keyword number 4000) with the same number of keywords according to an embodiment of the present invention.
Fig. 6 is a schematic diagram of the search time (file number 4000) when the number of files is the same according to the embodiment of the present invention.
Fig. 7 is a schematic diagram of verification time when the number of files provided by the embodiment of the invention is 4000.
Fig. 8 is a schematic diagram of adding operation time (file number 4000) with the same number of files according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Symmetric Searchable Encryption (SSE) allows a data owner to outsource own encrypted data to a cloud server and can perform keyword retrieval on the outsourced encrypted data. SSE has become an important technology in the field of cloud computing.
The following detailed description of the principles of the invention is provided in connection with the accompanying drawings.
As shown in fig. 1, the verifiable memory leak prevention dynamic searchable encryption method provided in the embodiment of the present invention includes the following steps:
step one, setting: a data owner scans an outsourced file set, establishes a safe index, encrypts the file set and outsources the index and the encrypted file set to a cloud server;
step two, searching: the data owner generates a trapdoor of the keyword to be retrieved and sends the trapdoor to the cloud server; the cloud server retrieves the index by using the trapdoor and returns the search result and evidence to the data owner. The data owner verifies the validity of the evidence, if the evidence passes the verification, the search result is accepted, otherwise, the search result is rejected;
step three, updating: and the data owner updates the corresponding keywords on the encrypted file set and the index and updates the evidence stored by the cloud server.
The application of the principles of the present invention will now be described in further detail with reference to the accompanying drawings.
1. According to the method, the long-term information is replaced by the physical unclonable function, the output of each physical unclonable function is used as one input in the secret sharing technology to construct corresponding sharing, and the secret information is not required to be stored in the nonvolatile memory. Once one physically unclonable function is corrupted, the remaining physically unclonable functions may still be used to recover the secret information used. The verifiable hash table VHT is used to build a secure index. The hash value of the VHT root node may be used to validate search results as evidence. On VHT, each node corresponds to a key. Because VHTs possess the properties of binary search trees, searching on VHTs is efficient, and updates to keys are updates to corresponding nodes on VHTs. To thwart replay attacks, VHT root node hash values are bound to counters and the server needs to sign the counters to ensure their validity. The integrity of the ciphertext data may be resolved by the MAC function.
1.1 the symbolic meanings used in the scheme are summarized in Table 2. To avoid loss of generality, it is assumed that files in DB have the same length, i.e., for all i ∈ [1, n ∈ [ ]],DBi∈{0,1}q
TABLE 2 symbol definitions
Figure BDA0001472589470000091
Figure BDA0001472589470000101
1.2 concrete Structure
Figure BDA0001472589470000102
And
Figure BDA0001472589470000103
is a hash function of collision avoidance. E1= (Enc1, Dec1) and E2= (Enc2, Dec2) is a PCPA-secure symmetric encryption algorithm, in which
Figure BDA0001472589470000104
In addition, pseudo-random permutation is used
Figure BDA0001472589470000105
Message authentication code
Figure BDA0001472589470000106
And a secure signature scheme SIGN, such as BLS short signature, where d represents the number of keys contained in the dictionary. The present invention consists of 6 algorithms (KeyGen, Enc, TrapGen, Search, Verify, Update) as follows:
KeyGen(1λ)
λ is a safety variable. The data owner runs this algorithm to generate the key K. First, the data owner randomly selects t (n)1,d1,m1) PUF, an n1Bit string s and a secret a0. Each physical unclonable function is shown below:
Figure BDA0001472589470000107
and (3) calculating:
ri=PUFi(s),(zi,hdi)←FE.Gen(ri),i∈[1,t];
wherein FE ═ is (fe.gen, fe.rep) is one (n)1,d1,m1) A blur extractor. Next, the data owner selects a value greater than a at the same time0And t, constructing a prime number p in a finite field
Figure BDA0001472589470000111
The k-1 degree polynomial f (x):
f(x)=a0+a1x+…+ak-2xk-2+ak-1xk-1modp;
wherein a is1,…,ak-1Is an integer uniformly and randomly selected from [0, p). Finally, the data owner calculates the share:
Figure BDA0001472589470000112
output common parameter PP ═ f1,…,ft,hd1,…,hdtS, p and key K ═ PUF1,…,PUFt}。
Figure BDA00014725894700001118
Given text set
Figure BDA00014725894700001119
Set of keywords
Figure BDA00014725894700001120
The public parameter PP and the secret key K, the data owner runs the probability algorithm to generate the encrypted file set
Figure BDA00014725894700001121
Search index
Figure BDA00014725894700001122
And a client state sigma.
The data owner randomly selects K physically unclonable functions from K.
Figure BDA00014725894700001123
Representing a randomly selected physically unclonable function, where ti∈[1,t]. For all i e [1, k ∈ ]]And calculating:
Figure BDA0001472589470000113
in connection with corresponding sharing
Figure BDA0001472589470000114
Can easily recover the polynomial f (x) and calculate a0F (0). Structure index
Figure BDA00014725894700001124
For each keyword
Figure BDA0001472589470000115
j∈[1,m]The data owner first establishes
Figure BDA0001472589470000116
And
Figure BDA0001472589470000117
then will be
Figure BDA0001472589470000118
Converted into a character string V with length of one bitwAnd l is more than n. For i e [1, l ∈ ]]And if and only if
Figure BDA0001472589470000119
When the temperature of the water is higher than the set temperature,
Figure BDA00014725894700001110
at the same time, the data owner calculates:
Figure BDA00014725894700001111
a verifiable hash table VHT is created which is also a look-up table. For j e [1, m],VHTEach node of
Figure BDA00014725894700001112
Is a tuple
Figure BDA00014725894700001113
Wherein
Figure BDA00014725894700001114
Is a key of the series of keys,
Figure BDA00014725894700001115
is a value, clAnd crRepresenting nodes
Figure BDA00014725894700001116
Left and right child nodes. The hash value of a node is defined as:
Figure BDA00014725894700001117
an example of a look-up table is given in figure 2. Each node in the lookup table maps a key. By using hrootRepresenting a hash value of the VHT root node. The data owner sets T to 1 and calculates:
K2=H1(a0‖2),
Figure BDA0001472589470000121
is provided with
Figure BDA0001472589470000122
Establishing an encrypted fileset
Figure BDA0001472589470000123
For each DBi,i∈[1,n]The data owner calculates:
K3=H1(a0‖id(DBi)‖1),
Figure BDA0001472589470000124
K4=H1(a0‖id(DBi)‖2),
Figure BDA0001472589470000125
Figure BDA0001472589470000126
setting ciOwned and DBiThe same identifier is used for the identification of the same,
Figure BDA0001472589470000127
the data owner sends T and ID to the cloud server, which computes a signature δ ═ SIGN (T | ID) and returns to the data owner. Finally, the algorithm outputs
Figure BDA0001472589470000128
And σ ═ T, δ. Data owner outsourcing
Figure BDA0001472589470000129
And
Figure BDA00014725894700001210
and (5) giving the cloud server, and locally storing sigma.
TrapGen(w,K,PP)
Given a query key w ∈ Δ, the data owner runs the algorithm to generate a trapdoor of w. First, the data owner needs to recover a0And calculating:
K1=H1(a0‖1),
Figure BDA00014725894700001211
is provided with
Figure BDA00014725894700001212
Finally, the TK is sent by the data ownerwSend to cloud clothesAnd a server.
Figure BDA00014725894700001213
With an index
Figure BDA00014725894700001214
When receiving the trapdoor TKwThe cloud server runs this algorithm to match trapdoors on the index. TK on VHTwWill be returned to the data owner as search result r (w) together with the search proof τ. The search process is summarized in algorithm 1. For simplicity, the keys of the nodes are denoted by nkey, with
Figure BDA00014725894700001215
Representing the VHT root node.
Figure BDA00014725894700001216
Figure BDA0001472589470000131
In Algorithm 1, L contains a search path from the root node to the closed node, the child nodes of the closed node, and the sibling nodes of the nodes on the search path.
Verify(R(w),τ,K,PP,σ)
Since a malicious server may return erroneous results, the data owner runs a validation algorithm to validate the search results.
When receiving the search result R (w) and the evidence tau, the data owner recalculates the hash value of the root node according to the search path, and the hash value is recorded as hroot′. At the same time, the data owner recovers a from the key K0And checking:
Figure BDA0001472589470000141
wherein. If these two equations hold, the data owner accepts R (w) and continues with the next verification, otherwise outputs #.
If the accepted R (w) is composed of two identical nodes, the data owner calculates:
Kw=H1(a0||w),
Figure BDA0001472589470000142
and will VwAnd sending the data to the cloud server. Cloud Server according to VwReturning the corresponding ciphertext set
Figure BDA0001472589470000143
For each ciphertext file
Figure BDA0001472589470000144
Data owner review
Figure BDA0001472589470000145
Wherein K4=H1(a0‖id(DBi) | 2). If the equation holds, the data owner outputs
Figure BDA0001472589470000146
Otherwise, outputting ^ t.
If the accepted R (w) is composed of two different nodes, let
Figure BDA0001472589470000147
And outputs #.
Update(op,K,PP)
And op { upd, c, W '} represents an update operation, wherein upd represents an update type, c represents an updated file, and W' represents an updated key set. According to op, the data owner performs the following algorithmic operations:
modifying: op ═ { modify, ciW' }, assuming that the data owner wants ciModified to ci′. For each keyword wjE.g., W', the data owner first generates a responseTrapdoor
Figure BDA0001472589470000148
And obtains a search result R (w)j)。R(wj) Need to pass authentication
Figure BDA0001472589470000149
Then the data owner gets from R (w)j) Middle recovery
Figure BDA00014725894700001410
And is provided with
Figure BDA00014725894700001411
Encryption
Figure BDA00014725894700001412
Is composed of
Figure BDA00014725894700001413
To replace
Figure BDA00014725894700001414
Each keyword wjAfter all the nodes are updated, setting T ← T +1 and calculating a new root node hash value hroot′And
Figure BDA00014725894700001415
sending (c)i′,hroot′Beta', T, ID) and
Figure BDA00014725894700001416
to the cloud server. Finally, the cloud service sets hroot←hroot′,β←β′,ci←ci′By using
Figure BDA00014725894700001417
VHT is updated and δ' SIGN (T | ID) is calculated. The cloud server sends δ ' to the data owner, which sets δ ← δ ' if δ ' is valid.
And (3) deleting: op ═ { delete, ciW' }. C is toiOperation of deletionCan be seen as a special modification operation, i.e. ciModified to the character delete and for each wjIs e.g. W', is
Figure BDA00014725894700001418
Adding: op ═ { add, c ═ cn+1W' }, suppose that the data owner adds a new file cn+1. For each keyword wjE.g. W', if
Figure BDA0001472589470000151
The add operation can be considered an arrangement
Figure BDA0001472589470000152
The special modification operation of (1). Otherwise, the data owner first generates the corresponding trapdoor
Figure BDA0001472589470000153
Obtaining search result R (w)j) And verify
Figure BDA0001472589470000154
Next, the data owner creates a child node on the last node of the search path
Figure BDA0001472589470000155
Each keyword wjAfter all the nodes are updated, setting T ← T +1 and calculating a new root node hash value hroot′And
Figure BDA0001472589470000156
sending (c)n+1,hroot′Beta', T, ID) and
Figure BDA0001472589470000157
to the cloud server. Finally, the cloud service sets hroot←hroot′β ← β', insertion cn+1By using
Figure BDA0001472589470000158
VHT is updated and δ' SIGN (T | ID) is calculated. The cloud server sends δ ' to the data owner, which sets δ ← δ ' if δ ' is valid.
The effect of the present invention will be described in detail below with reference to the efficiency analysis.
1. Kurosawa 'S protocol [ Kurosawa K, Ohtakiy. how to Update Document synergy Encryption [ C ]// International Conference on Encryption and Network security. Springer, Cham,2013:309-328 ], Dai' S protocol [ Dai S, Li H, Zhang F.memory leak-reusable synergy Encryption [ J ]. Future ratio Computer Systems,2016,62:76-84] were compared with the present invention. Firstly, the invention can simultaneously realize memory leakage prevention and verifiable search results. Second, the present invention is efficient because it does not involve exponential operations and symmetric fully homomorphic encryption in the cluster, and the computational overhead of the client is independent of the fileset size. Finally, in the Dai solution, the client needs to store a table of o (d) size locally to complete the search, d representing the number of all possible keys contained in the dictionary. But in the present invention the client only needs to keep one counter and one signature locally. Compared with the scheme of Dai, the space complexity of the invention is smaller. Furthermore, even if some of the physically unclonable functions are corrupted, the present invention can still recover the key, whereas the Dai solution does not.
Table 3 shows a comparison of the three protocols. In the table, n is indicated in the file set
Figure BDA0001472589470000159
The number of files in (1), m, in the set of keywords
Figure BDA00014725894700001510
Where U represents the number of files returned from the search, | W | represents the number of updated keys, | k represents the number of physically unclonable functions selected to reconstruct the secret information, U represents an operation on the physically unclonable functions and the fuzzy extractor, I represents an integer comparison operation, P represents a symmetric fully homomorphic encryption operation, D tableA group index operation is shown, Z represents a hash operation, and a represents a MAC function operation.
Table 3 comparison of the three protocols
Scheme(s) Kurosawa protocol Dai protocol Aspects of the invention
Memory leak resistance Do not support Support for Support for
Verifiability Support for Do not support Support for
Search computation (Server) (mn-u)(Z+A) 1P logmI
Verification calculation (client) (u+n)(Z+A) _ logmA+(u+1)M+1D+kU
Adding calculated amounts (clients)End) (m+1)(Z+A) |W|(2U+P) (|W|+1)(logmA+M)+|W|D+kU
1.1 efficiency analysis
The provided dynamic SSE scheme capable of preventing memory leakage is subjected to experimental simulation, wherein the experimental environment is a Windows system, a CPU (central processing unit) of 2.60GHz and an 8G running memory.
Fig. 3 through 8 illustrate the indexing, searching, validation and update time comparisons with the schema of Dai. In this time comparison simulation experiment, the number of keywords of the dictionary is set to 40000, and k is 4 and t is 5 in the invention. Fig. 3 and 4 illustrate that the index creation time is linearly related to the number m of keywords and not to the number n of file sets in the invention. This is a one-time overhead, although the index set-up time overhead is large. Fig. 5 and 6 illustrate the preferred arrangement of the present invention over Dai when the number of files is appropriate during the search phase. In fact, the search time of the present invention is linearly related to logm. Even when m is 8000, the search time of the present invention is only 11ms, which is sufficiently efficient. FIG. 7 shows that the verification of the present invention is very fast and that verification time increases slowly as the number of keys increases. The overhead of the client is only increased a little while the security is improved. Fig. 8 shows a time comparison of the adding operation, and the time overhead of the adding operation of the invention is in milliseconds, which is enough to be applied in practical application.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (7)

1. A verifiable memory leak prevention dynamic searchable encryption method is characterized in that physical unclonable functions are used for replacing long-term information stored in a nonvolatile memory, and the output of each physical unclonable function is used as one input of a polynomial in a secret sharing technology to construct corresponding sharing; verifying that a hash table VHT is used for constructing a safe index, wherein a hash value of a VHT root node can be used as an evidence to verify the correctness and integrity of a search result, and each node corresponds to a keyword on the VHT; the updating of the key words is the updating of the corresponding nodes on the VHT; binding the hash value of the VHT root node with a counter, and signing the counter by the cloud server;
the verifiable memory leak prevention dynamic searchable encryption method uses an anti-collision hash function
Figure FDA0002924458690000011
And
Figure FDA0002924458690000012
PCPA-secure symmetric encryption algorithm E1= (Enc1, Dec1) and E2(Enc2, Dec2), wherein
Figure FDA0002924458690000013
Figure FDA0002924458690000014
Pseudo-random permutation
Figure FDA0002924458690000015
Message authentication code
Figure FDA0002924458690000016
And a secure signature scheme SIGN-BLS short signature, wherein d represents the number of keys contained in the dictionary;
the verifiable memory leak prevention dynamic searchable encryption method further comprises the following six algorithms:
KeyGen(1λ): inputting a security parameter lambda, and outputting a secret key K stored by a data owner and a public parameter PP;
Figure FDA0002924458690000017
inputting a set of documents
Figure FDA0002924458690000018
Set of keywords
Figure FDA0002924458690000019
Secret key K and public parameter PP, outputting a secure index
Figure FDA00029244586900000110
Encrypted file collection
Figure FDA00029244586900000111
And a data owner status σ;
Figure FDA00029244586900000112
and
Figure FDA00029244586900000113
outsourcing to a cloud server;
TrapGen (w, K, PP): inputting search key word w, key K and public parameter PP, outputting trap TKw
Figure FDA00029244586900000114
When receiving the trapdoor TKwCloud server is indexing
Figure FDA00029244586900000115
The algorithm is run, and corresponding search results R (w) and search evidence tau are returned;
verify (R (w), τ, K, PP, σ): if the search result R (w) passes the verification of the evidence tau, accepting R (w) and outputting a corresponding ciphertext set
Figure FDA00029244586900000116
Otherwise, outputting error T;
update (op, K, PP): inputting an update operation op, modifying, adding and deleting, a data owner state sigma and a key K, and outputting an updated index
Figure FDA0002924458690000021
Encrypting a set of files
Figure FDA0002924458690000022
And a data owner status sigma'.
2. The verifiable memory leak resistant dynamically searchable encryption method according to claim 1, wherein said KeyGen (1)λ) In (2), the data owner first randomly selects t physically unclonable functions (n)1,d1,m1) PUF, one (n)1,d1,m1) Fuzzy extractor FE and a secret information a0(ii) a The data owner then constructs a secret a0Using the polynomial f (x), the physical unclonable function (n)1,d1,m1) -the PUF and the fuzzy extractor FE calculate the shares in the secret sharing technique; the key K is the selected physically unclonable function and the calculated share is the common parameter.
3. The verifiable memory leak resistant dynamically searchable encryption method of claim 1, wherein said
Figure FDA0002924458690000023
In the method, the data owner firstly recovers the secret information a through the secret key K and the public parameter0The key of the cryptographic tool used in the algorithm is passed through a0Constructing; the data owner scans the outsourced file sets, builds a set of keywords and a corresponding set of file identifiers, and then builds an index using a verifiable hash table VHT
Figure FDA0002924458690000024
Calculating a root node hash value of the VHT, and performing MAC calculation on the hash value and a counter; the VHT is a binary tree structure and combines the characteristics of a Merkle hash tree and a binary search tree; each node N on the VHT is a tuple (nkey, v, c)l,cr,hN) Where nkey represents the key of node N, v represents the value of node N, clAnd crRespectively representing the left and right children of node N, hNA hash value representing node N, defined as
Figure FDA0002924458690000025
The keys of the node N are larger than the keys of all the nodes on the left subtree and smaller than the keys of all the nodes on the right subtree.
4. The verifiable memory leak resistant dynamically searchable encryption method of claim 1, wherein the pseudo-random permutation of the lexicographic order of the key to be searched in TrapGen (w, K, PP) is the search trapdoor for that key.
5. The verifiable memory leak resistant dynamically searchable encryption method of claim 1, wherein said
Figure FDA0002924458690000026
In, indexing
Figure FDA0002924458690000027
Is a verifiable hash table VHT, searches matching TK on the VHTwThe matched node is the search result, and the search path is the search evidence.
6. The verifiable memory leak-proof dynamically searchable encryption method according to claim 1, wherein in Verify (r (w), τ, K, PP, σ), the data owner recalculates the hash value of the root node of VHT through a search path, and performs MAC calculation on the calculated hash value and a locally stored counter; if the calculated MAC value is consistent with the MAC returned by the cloud server, the verification is passed, otherwise, the verification is not passed.
7. The verifiable memory leak-proof dynamic searchable encryption method according to claim 1, wherein in the Update (op, K, PP), the Update operation of an existing key is to modify a corresponding node value on the VHT, and the Update operation of a newly added key is to add a new node; all update operations require incrementing the counter by one and recalculating the root node hash value and MAC value of the VHT.
CN201711146556.1A 2017-11-17 2017-11-17 Verifiable memory leak prevention dynamic searchable encryption method and cloud server Active CN108055122B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711146556.1A CN108055122B (en) 2017-11-17 2017-11-17 Verifiable memory leak prevention dynamic searchable encryption method and cloud server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711146556.1A CN108055122B (en) 2017-11-17 2017-11-17 Verifiable memory leak prevention dynamic searchable encryption method and cloud server

Publications (2)

Publication Number Publication Date
CN108055122A CN108055122A (en) 2018-05-18
CN108055122B true CN108055122B (en) 2021-03-23

Family

ID=62120291

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711146556.1A Active CN108055122B (en) 2017-11-17 2017-11-17 Verifiable memory leak prevention dynamic searchable encryption method and cloud server

Country Status (1)

Country Link
CN (1) CN108055122B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109088719B (en) * 2018-08-14 2019-06-04 重庆第二师范学院 Outsourced database multi-key word can verify that cipher text searching method, data processing system
CN109492410B (en) * 2018-10-09 2020-09-01 华南农业大学 Data searchable encryption and keyword search method, system, terminal and equipment
CN110334526B (en) * 2019-05-30 2023-01-03 西安电子科技大学 Forward security searchable encryption storage system and method supporting verification
CN110392038B (en) * 2019-06-03 2021-07-13 西安电子科技大学 Multi-key searchable encryption method capable of being verified in multi-user scene
CN110457915B (en) * 2019-07-17 2020-12-29 华中科技大学 Efficient searchable symmetric encryption method and system with forward and backward security
CN110851481B (en) * 2019-11-08 2022-06-28 青岛大学 Searchable encryption method, device and equipment and readable storage medium
CN111614470A (en) * 2020-05-27 2020-09-01 贵州大学 Verifiable multi-keyword search method based on improved Merkle-Tree authentication method
CN111917759B (en) * 2020-07-27 2021-02-19 八维通科技有限公司 Data security interaction method for gas station
CN112416948B (en) * 2020-12-15 2022-11-01 暨南大学 Verifiable gene data outsourcing query method and system
CN113282543B (en) * 2021-05-20 2022-07-05 支付宝(杭州)信息技术有限公司 Verifiable searchable encryption method, device and equipment with forward security
CN113282542B (en) * 2021-05-20 2022-07-12 支付宝(杭州)信息技术有限公司 Verifiable searchable encryption method, device and equipment with forward security
CN114584286B (en) * 2022-05-06 2022-08-05 武汉大学 Dynamic ciphertext retrieval and verification method and system supporting omnidirectional operation
CN114900318B (en) * 2022-06-02 2024-04-19 浙江工商大学 One-round communication searchable encryption method based on key negotiation protocol and verifiable

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090217045A1 (en) * 2005-11-29 2009-08-27 Koninklijke Philps Electronics, N.V. Physical secret sharing and proofs of vicinity using pufs
CN103763362B (en) * 2014-01-13 2016-12-21 西安电子科技大学 A kind of safe distributed data de-duplication method
US9292692B2 (en) * 2014-05-05 2016-03-22 Sypris Electronics, Llc System and device for verifying the integrity of a system from its subcomponents

Also Published As

Publication number Publication date
CN108055122A (en) 2018-05-18

Similar Documents

Publication Publication Date Title
CN108055122B (en) Verifiable memory leak prevention dynamic searchable encryption method and cloud server
Yang et al. Lightweight and privacy-preserving delegatable proofs of storage with data dynamics in cloud storage
CN111639361B (en) Block chain key management method, multi-person common signature method and electronic device
Pasupuleti et al. An efficient and secure privacy-preserving approach for outsourced data of resource constrained mobile devices in cloud computing
Sun et al. Catch you if you lie to me: Efficient verifiable conjunctive keyword search over large dynamic encrypted cloud data
Bellare et al. Interactive message-locked encryption and secure deduplication
Zhang et al. Provable multiple replication data possession with full dynamics for secure cloud storage
Chase et al. Substring-searchable symmetric encryption
Schröder et al. Verifiable data streaming
CN106803784A (en) The multi-user based on lattice is fuzzy in secure multimedia cloud storage can search for encryption method
Zhu et al. A novel verifiable and dynamic fuzzy keyword search scheme over encrypted data in cloud computing
Zhang et al. Improved secure fuzzy auditing protocol for cloud data storage
Li et al. Integrity-verifiable conjunctive keyword searchable encryption in cloud storage
CN109088719B (en) Outsourced database multi-key word can verify that cipher text searching method, data processing system
Wang et al. Efficient incremental authentication for the updated data in fog computing
Leontiadis et al. Storage efficient substring searchable symmetric encryption
Wei et al. Forward-secure identity-based signature with efficient revocation
Sengupta et al. Secure cloud storage with data dynamics using secure network coding techniques
Wang et al. A Verifiable Fuzzy Keyword Search Scheme Over Encrypted Data.
Luo et al. MHB* T based dynamic data integrity auditing in cloud storage
CN113434739A (en) Forward-safe multi-user dynamic symmetric encryption retrieval method in cloud environment
Sengupta et al. Publicly verifiable secure cloud storage for dynamic data using secure network coding
Zhou et al. Integrity preserving multi-keyword searchable encryption for cloud computing
Jiang et al. Puncturable signature: A generic construction and instantiations
Lin et al. F2p-abs: A fast and secure attribute-based signature for mobile platforms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant